Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

System Integrity Scan Wizard


  • This topic is locked This topic is locked
10 replies to this topic

#1 theblacksun

theblacksun

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 26 March 2008 - 02:50 AM

Hey, so im getting popups from system integrity scan wizard, and ive tried all sorts of different removers, and nothing finds it, panda, ad ware 2007, superantispyware, plus others
so i wanted to try manual deletion, but i dont know enough to know what the actual files are
so here is my hijackthis log
these are what i thought the problem might be, but i dont want to risk it
thnx if u help me
O4 - HKCU\..\Run: [wrvvxmmn] C:\WINDOWS\system32\erinwjct.exe
O4 - HKCU\..\Run: [ypoghmim] C:\WINDOWS\system32\hghcrwxw.exe



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:51:02 AM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Documents and Settings\All Users\Application Data\axwxufkz\ifglsdat.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Bradford Networks\Client Security Agent\bncsaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\erinwjct.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G PCI Adapter\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Adapter\WMP54Gv4.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\apvxdwin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ian\Desktop\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {9446B773-2632-41F3-B37B-F303EC1A3CA4} - (no file)
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Client Security Agent\bncsaui.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [wrvvxmmn] C:\WINDOWS\system32\erinwjct.exe
O4 - HKCU\..\Run: [SearchAndDestroyMFC] C:\Program Files\Search And Destroy\Search And Destroy.exe
O4 - HKCU\..\Run: [ypoghmim] C:\WINDOWS\system32\hghcrwxw.exe
O4 - HKLM\..\Policies\Explorer\Run: [ptB1JhrKOh] C:\Documents and Settings\All Users\Application Data\axwxufkz\ifglsdat.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://E:\components\Liquid.ocx
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vtstu - C:\WINDOWS\system32\vtstu.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Client Security Agent Service (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Adapter\WLService.exe
O24 - Desktop Component 0: (no name) - http://homestarrunner.com/hsicons/sbdance.gif
O24 - Desktop Component 1: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9835 bytes

BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:21 PM

Posted 26 March 2008 - 06:32 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 theblacksun

theblacksun
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 26 March 2008 - 10:00 AM

heres the combofix log

ComboFix 08-03-25.2 - Ian 2008-03-26 7:56:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.737 [GMT -7:00]
Running from: C:\Documents and Settings\Ian\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
-- Script messages for sUBs --
VFind -rtd "C:\Program Files\VirusHeal*"

((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-26 00:59 . 2008-03-26 07:04 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-03-26 00:05 . 2008-03-26 00:05 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-26 00:05 . 2008-03-26 00:05 <DIR> d-------- C:\Documents and Settings\Ian\Application Data\SUPERAntiSpyware.com
2008-03-26 00:05 . 2008-03-26 00:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-25 23:05 . 2008-03-25 23:05 <DIR> d-------- C:\Documents and Settings\Ian\DoctorWeb
2008-03-25 23:01 . 2008-03-25 23:01 98,304 --a------ C:\WINDOWS\system32\hghcrwxw.exe
2008-03-23 18:53 . 2008-03-23 18:53 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-23 18:53 . 2008-03-23 18:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-23 17:33 . 2008-03-23 17:33 <DIR> d-------- C:\Program Files\CCleaner
2008-03-23 17:19 . 2008-03-23 17:19 3,258 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-23 17:12 . 2008-03-26 00:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-23 17:10 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-23 17:10 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-23 17:10 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-23 17:10 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-23 17:10 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-23 17:10 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-23 11:02 . 2008-03-23 11:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-03-23 10:41 . 2008-03-23 10:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-03-22 22:50 . 2008-03-22 22:50 <DIR> d-------- C:\WINDOWS\Search And Destroy
2008-03-22 22:50 . 2008-03-22 22:50 <DIR> d-------- C:\Program Files\Search And Destroy
2008-03-22 22:30 . 2008-03-22 22:30 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-22 21:08 . 2008-03-22 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\axwxufkz

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 14:51 80 ----a-w C:\WINDOWS\system32\drivers\netfltConfig.dat
2008-03-26 14:07 --------- d-----w C:\Program Files\Steam
2008-03-01 03:32 --------- d-----w C:\Program Files\Warcraft III
2008-02-22 02:23 --------- d-----w C:\Program Files\DivX
2008-02-14 20:32 --------- d-----w C:\Program Files\ReflexiveArcade
2008-02-12 00:40 --------- d-----w C:\Program Files\LimeWire
2008-02-12 00:40 --------- d-----w C:\Program Files\AIM
2008-02-04 06:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-01-04 20:11 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2005-05-14 00:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 18:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-14 04:27 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-08 02:14 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2005-07-14 19:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-04-27 17:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
2006-06-10 22:56 681,175 --sh--w C:\WINDOWS\system32\utstv.bak1
2005-02-28 20:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-25_22.23.34.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-26 07:05:09 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-03-26 07:05:09 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9446B773-2632-41F3-B37B-F303EC1A3CA4}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-10-17 14:43 1271032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-01-03 06:54 486856]
"wrvvxmmn"="C:\WINDOWS\system32\erinwjct.exe" [2008-03-22 21:08 94208]
"SearchAndDestroyMFC"="C:\Program Files\Search And Destroy\Search And Destroy.exe" [2008-01-01 10:24 12546155]
"ypoghmim"="C:\WINDOWS\system32\hghcrwxw.exe" [2008-03-25 23:01 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-07-29 04:07 188416]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 14:54 229952]
"bncsaui.exe"="C:\Program Files\Bradford Networks\Client Security Agent\bncsaui.exe" [2007-08-23 16:32 1916296]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 10:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 10:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 10:22 86016]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2008-01-07 17:56 1816208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-06-13 10:34 2078944]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless-B PCI Adapter Utility.lnk - C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe [2005-01-15 17:56:14 4638720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"ptB1JhrKOh"= C:\Documents and Settings\All Users\Application Data\axwxufkz\ifglsdat.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source= file:///C:\WINDOWS\privacy_danger\index.htm
FriendlyName= Privacy Protection

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstu]
C:\WINDOWS\system32\vtstu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Valve\\hl.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\iPod\\iPod Updater 2005-09-06\\iPod Updater 2005-09-06.exe"=
"C:\\Program Files\\3DO\\Heroes 3 Complete\\ONLINE\\AUTORUN.EXE"=
"C:\\Program Files\\FirstClass\\fcc32.exe"=
"C:\\Program Files\\Guild Wars\\Gw.exe"=
"C:\\Program Files\\K-Lite Codec Pack\\filters\\3ivxConfig.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe"= C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19433:TCP"= 19433:TCP:BitComet 19433 TCP
"19433:UDP"= 19433:UDP:BitComet 19433 UDP
"80:TCP"= 80:TCP:BitComet 80 TCP
"80:UDP"= 80:UDP:BitComet 80 UDP
"23071:TCP"= 23071:TCP:BitComet 23071 TCP
"23071:UDP"= 23071:UDP:BitComet 23071 UDP
"16189:TCP"= 16189:TCP:BitComet 16189 TCP
"16189:UDP"= 16189:UDP:BitComet 16189 UDP
"20831:TCP"= 20831:TCP:BitComet 20831 TCP
"20831:UDP"= 20831:UDP:BitComet 20831 UDP

R0 netflt;Panda Preventium Driver.;C:\WINDOWS\system32\Drivers\netflt.sys [2005-10-21 12:06]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\drivers\ShldDrv.sys [2007-02-23 09:42]
R2 BNPagent;Client Security Agent Service;"C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe" [2007-08-23 16:32]
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys [2005-04-05 17:33]
R2 PAVFIRES;Panda Firewall Service;"C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe" [2005-03-29 12:59]
R2 Pavkre;Panda Pavkre;"C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe" [2005-08-30 15:51]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-02-23 09:42]
R2 PavProt;Panda PavProt;"C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe" [2005-08-30 15:51]
R2 PREVSRV;Panda Preventium+ Service;"C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe" [2004-10-30 17:43]
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2002-04-15 18:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Install.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9537cf67-56d0-11da-8427-00e0186b809d}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac4efe76-6b7a-11dc-871e-00e0186b809d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d022ee61-4928-11db-85af-00e0186b809d}]
\Shell\AutoRun\command - G:\Autorun.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 23:21:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 08:00:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc24.tmp"
.
Completion time: 2008-03-26 8:01:59
ComboFix-quarantined-files.txt 2008-03-26 15:01:41
ComboFix2.txt 2008-03-26 05:25:34
.
2007-10-18 07:00:47 --- E O F ---

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:21 PM

Posted 26 March 2008 - 07:00 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

Folder::
C:\Documents and Settings\All Users\Application Data\axwxufkz

File::
C:\WINDOWS\system32\hghcrwxw.exe
C:\WINDOWS\system32\erinwjct.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9446B773-2632-41F3-B37B-F303EC1A3CA4}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"wrvvxmmn"=-
"ypoghmim"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"ptB1JhrKOh"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtstu]
[-HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 theblacksun

theblacksun
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 27 March 2008 - 01:10 AM

Heres the combfix and new hijackthis logs
ComboFix 08-03-25.2 - Ian 2008-03-26 10:44:39.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.718 [GMT -7:00]
Running from: C:\Documents and Settings\Ian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ian\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\erinwjct.exe
C:\WINDOWS\system32\hghcrwxw.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\axwxufkz
C:\Documents and Settings\All Users\Application Data\axwxufkz\ifglsdat.exe
C:\WINDOWS\system32\erinwjct.exe
C:\WINDOWS\system32\hghcrwxw.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-26 to 2008-03-26 )))))))))))))))))))))))))))))))
.

2008-03-26 19:05 . 2008-03-26 19:05 94,208 --a------ C:\WINDOWS\system32\vsbcxolk.exe
2008-03-26 00:59 . 2008-03-26 07:04 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-03-26 00:05 . 2008-03-26 00:05 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-26 00:05 . 2008-03-26 00:05 <DIR> d-------- C:\Documents and Settings\Ian\Application Data\SUPERAntiSpyware.com
2008-03-26 00:05 . 2008-03-26 00:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-25 23:05 . 2008-03-25 23:05 <DIR> d-------- C:\Documents and Settings\Ian\DoctorWeb
2008-03-23 18:53 . 2008-03-23 18:53 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-23 18:53 . 2008-03-23 18:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-23 17:33 . 2008-03-23 17:33 <DIR> d-------- C:\Program Files\CCleaner
2008-03-23 17:19 . 2008-03-23 17:19 3,258 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-23 17:12 . 2008-03-26 00:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-23 17:10 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-23 17:10 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-23 17:10 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-23 17:10 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-23 17:10 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-23 17:10 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-23 11:02 . 2008-03-23 11:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-03-23 10:41 . 2008-03-23 10:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-03-22 22:50 . 2008-03-22 22:50 <DIR> d-------- C:\WINDOWS\Search And Destroy
2008-03-22 22:50 . 2008-03-22 22:50 <DIR> d-------- C:\Program Files\Search And Destroy
2008-03-22 22:30 . 2008-03-22 22:30 <DIR> d-------- C:\Program Files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 18:00 80 ----a-w C:\WINDOWS\system32\drivers\netfltConfig.dat
2008-03-26 18:00 --------- d-----w C:\Program Files\Steam
2008-03-01 03:32 --------- d-----w C:\Program Files\Warcraft III
2008-02-22 02:23 --------- d-----w C:\Program Files\DivX
2008-02-14 20:32 --------- d-----w C:\Program Files\ReflexiveArcade
2008-02-12 00:40 --------- d-----w C:\Program Files\LimeWire
2008-02-12 00:40 --------- d-----w C:\Program Files\AIM
2008-02-04 06:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2005-05-14 00:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 18:13 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-14 04:27 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-08 02:14 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2005-07-14 19:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 22:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 05:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-04-27 17:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
2006-06-10 22:56 681,175 --sh--w C:\WINDOWS\system32\utstv.bak1
2005-02-28 20:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 07:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-25_22.23.34.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-26 07:05:09 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-03-26 07:05:09 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-10-17 14:43 1271032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-01-03 06:54 486856]
"SearchAndDestroyMFC"="C:\Program Files\Search And Destroy\Search And Destroy.exe" [2008-01-01 10:24 12546155]
"tfyjautv"="C:\WINDOWS\system32\vsbcxolk.exe" [2008-03-26 19:05 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-07-29 04:07 188416]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 14:54 229952]
"bncsaui.exe"="C:\Program Files\Bradford Networks\Client Security Agent\bncsaui.exe" [2007-08-23 16:32 1916296]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 10:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 10:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 10:22 86016]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2008-01-07 17:56 1816208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-06-13 10:34 2078944]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless-B PCI Adapter Utility.lnk - C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe [2005-01-15 17:56:14 4638720]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Valve\\hl.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\iPod\\iPod Updater 2005-09-06\\iPod Updater 2005-09-06.exe"=
"C:\\Program Files\\3DO\\Heroes 3 Complete\\ONLINE\\AUTORUN.EXE"=
"C:\\Program Files\\FirstClass\\fcc32.exe"=
"C:\\Program Files\\Guild Wars\\Gw.exe"=
"C:\\Program Files\\K-Lite Codec Pack\\filters\\3ivxConfig.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe"= C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19433:TCP"= 19433:TCP:BitComet 19433 TCP
"19433:UDP"= 19433:UDP:BitComet 19433 UDP
"80:TCP"= 80:TCP:BitComet 80 TCP
"80:UDP"= 80:UDP:BitComet 80 UDP
"23071:TCP"= 23071:TCP:BitComet 23071 TCP
"23071:UDP"= 23071:UDP:BitComet 23071 UDP
"16189:TCP"= 16189:TCP:BitComet 16189 TCP
"16189:UDP"= 16189:UDP:BitComet 16189 UDP
"20831:TCP"= 20831:TCP:BitComet 20831 TCP
"20831:UDP"= 20831:UDP:BitComet 20831 UDP

R0 netflt;Panda Preventium Driver.;C:\WINDOWS\system32\Drivers\netflt.sys [2005-10-21 12:06]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\drivers\ShldDrv.sys [2007-02-23 09:42]
R2 BNPagent;Client Security Agent Service;"C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe" [2007-08-23 16:32]
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys [2005-04-05 17:33]
R2 PAVFIRES;Panda Firewall Service;"C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe" [2005-03-29 12:59]
R2 Pavkre;Panda Pavkre;"C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe" [2005-08-30 15:51]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-02-23 09:42]
R2 PavProt;Panda PavProt;"C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe" [2005-08-30 15:51]
R2 PREVSRV;Panda Preventium+ Service;"C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe" [2004-10-30 17:43]
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2002-04-15 18:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Install.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9537cf67-56d0-11da-8427-00e0186b809d}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac4efe76-6b7a-11dc-871e-00e0186b809d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d022ee61-4928-11db-85af-00e0186b809d}]
\Shell\AutoRun\command - G:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 23:21:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-26 11:00:55
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwQueryKey, ZwOpenKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G PCI Adapter\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Adapter\WMP54Gv4.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\apvxdwin.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-26 11:05:20 - machine was rebooted [Ian]
ComboFix-quarantined-files.txt 2008-03-26 18:05:09
ComboFix2.txt 2008-03-26 15:02:01
ComboFix3.txt 2008-03-26 05:25:34
.
2007-10-18 07:00:47 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:54 AM, on 3/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Anti-Malware\a2service.exe
C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Linksys Wireless-G PCI Adapter\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Adapter\WMP54Gv4.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\apvxdwin.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\WebProxy.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Bradford Networks\Client Security Agent\bncsaui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\vsbcxolk.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Ian\Desktop\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [bncsaui.exe] %ProgramFiles%\Bradford Networks\Client Security Agent\bncsaui.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [SearchAndDestroyMFC] C:\Program Files\Search And Destroy\Search And Destroy.exe
O4 - HKCU\..\Run: [tfyjautv] C:\WINDOWS\system32\vsbcxolk.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'Default user')
O4 - Global Startup: Wireless-B PCI Adapter Utility.lnk = C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {22D4879A-92DB-470D-8A83-E158797D8176} (Liquid.LiquidHelper) - file://E:\components\Liquid.ocx
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Anti-Malware Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Malware\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Client Security Agent Service (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: NICSer_WMP11 - Unknown owner - C:\Program Files\Linksys\WMP11 Config Utility\NICServ.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Firewall Service (PAVFIRES) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Pavkre (Pavkre) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe
O23 - Service: Panda PavProt (PavProt) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Panda Preventium+ Service (PREVSRV) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software Internacional - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PsImSvc.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Adapter\WLService.exe
O24 - Desktop Component 0: (no name) - http://homestarrunner.com/hsicons/sbdance.gif

--
End of file - 9664 bytes
Thanks

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:21 PM

Posted 27 March 2008 - 07:44 AM

We're just about there, but something's being a little stubborn.


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\utstv.bak1
C:\WINDOWS\meta4.exe
C:\WINDOWS\MOTA113.exe
C:\WINDOWS\x2.64.exe
C:\WINDOWS\system32\avisynth.dll
C:\WINDOWS\system32\AVSredirect.dll
C:\WINDOWS\system32\cygwin1.dll
C:\WINDOWS\system32\cygz.dll
C:\WINDOWS\system32\i420vfw.dll
C:\WINDOWS\system32\Smab.dll
C:\WINDOWS\system32\x.264.exe
C:\WINDOWS\system32\yv12vfw.dll
C:\WINDOWS\system32\vsbcxolk.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tfyjautv"=-
Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.



I see you have Superantispyware installed. Make sure it is updated and then run a full scan with it. Please post that log in your next reply also.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 theblacksun

theblacksun
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 28 March 2008 - 10:59 AM

ok, so i have no way of updating superantispyware because it can't update through a proxy server,
here is the log anyway, and the new combofix log is at the end

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/27/2008 at 02:07 AM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 00:40:03

Memory items scanned : 519
Memory threats detected : 0
Registry items scanned : 4580
Registry threats detected : 0
File items scanned : 15684
File threats detected : 12

Adware.Tracking Cookie
C:\Documents and Settings\Ian\Cookies\ian@tribalfusion[2].txt
C:\Documents and Settings\Ian\Cookies\ian@apmebf[1].txt
C:\Documents and Settings\Ian\Cookies\ian@rotator.adjuggler[1].txt
C:\Documents and Settings\Ian\Cookies\ian@atdmt[2].txt
C:\Documents and Settings\Ian\Cookies\ian@adtech[1].txt
C:\Documents and Settings\Ian\Cookies\ian@media.fastclick[1].txt
C:\Documents and Settings\Ian\Cookies\ian@ad.yieldmanager[2].txt
C:\Documents and Settings\Ian\Cookies\ian@doubleclick[1].txt
C:\Documents and Settings\Ian\Cookies\ian@ads.bleepingcomputer[1].txt
C:\Documents and Settings\Ian\Cookies\ian@pandasoftware.112.2o7[1].txt
C:\Documents and Settings\Ian\Cookies\ian@statcounter[1].txt
C:\Documents and Settings\Ian\Cookies\ian@fastclick[1].txt

ComboFix 08-03-25.2 - Ian 2008-03-27 19:46:45.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.672 [GMT -7:00]
Running from: C:\Documents and Settings\Ian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ian\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\meta4.exe
C:\WINDOWS\MOTA113.exe
C:\WINDOWS\system32\avisynth.dll
C:\WINDOWS\system32\AVSredirect.dll
C:\WINDOWS\system32\cygwin1.dll
C:\WINDOWS\system32\cygz.dll
C:\WINDOWS\system32\i420vfw.dll
C:\WINDOWS\system32\Smab.dll
C:\WINDOWS\system32\utstv.bak1
C:\WINDOWS\system32\vsbcxolk.exe
C:\WINDOWS\system32\x.264.exe
C:\WINDOWS\system32\yv12vfw.dll
C:\WINDOWS\x2.64.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\meta4.exe
C:\WINDOWS\MOTA113.exe
C:\WINDOWS\system32\avisynth.dll
C:\WINDOWS\system32\AVSredirect.dll
C:\WINDOWS\system32\cygwin1.dll
C:\WINDOWS\system32\cygz.dll
C:\WINDOWS\system32\i420vfw.dll
C:\WINDOWS\system32\Smab.dll
C:\WINDOWS\system32\utstv.bak1
C:\WINDOWS\system32\vsbcxolk.exe
C:\WINDOWS\system32\x.264.exe
C:\WINDOWS\system32\yv12vfw.dll
C:\WINDOWS\x2.64.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.

2008-03-26 00:59 . 2008-03-26 22:27 <DIR> d-------- C:\Program Files\a-squared Anti-Malware
2008-03-26 00:05 . 2008-03-26 00:05 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-26 00:05 . 2008-03-26 00:05 <DIR> d-------- C:\Documents and Settings\Ian\Application Data\SUPERAntiSpyware.com
2008-03-26 00:05 . 2008-03-26 00:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-25 23:05 . 2008-03-25 23:05 <DIR> d-------- C:\Documents and Settings\Ian\DoctorWeb
2008-03-23 18:53 . 2008-03-23 18:53 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-23 18:53 . 2008-03-23 18:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-23 17:33 . 2008-03-23 17:33 <DIR> d-------- C:\Program Files\CCleaner
2008-03-23 17:19 . 2008-03-23 17:19 3,258 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-23 17:12 . 2008-03-26 00:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-23 17:10 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-03-23 17:10 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-03-23 17:10 . 2008-03-22 15:49 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-03-23 17:10 . 2008-03-15 17:16 82,432 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-03-23 17:10 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-03-23 17:10 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-03-23 11:02 . 2008-03-23 11:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-03-23 10:41 . 2008-03-23 10:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Tools
2008-03-22 22:50 . 2008-03-22 22:50 <DIR> d-------- C:\WINDOWS\Search And Destroy
2008-03-22 22:50 . 2008-03-26 22:53 <DIR> d-------- C:\Program Files\Search And Destroy
2008-03-22 22:30 . 2008-03-22 22:30 <DIR> d-------- C:\Program Files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 02:45 80 ----a-w C:\WINDOWS\system32\drivers\netfltConfig.dat
2008-03-28 02:37 --------- d-----w C:\Program Files\Steam
2008-03-01 03:32 --------- d-----w C:\Program Files\Warcraft III
2008-02-22 02:23 --------- d-----w C:\Program Files\DivX
2008-02-14 20:32 --------- d-----w C:\Program Files\ReflexiveArcade
2008-02-12 00:40 --------- d-----w C:\Program Files\LimeWire
2008-02-12 00:40 --------- d-----w C:\Program Files\AIM
2008-02-04 06:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-01-04 20:11 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
.

((((((((((((((((((((((((((((( snapshot@2008-03-25_22.23.34.93 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-26 07:05:09 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-03-26 07:05:09 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24 1694208]
"Steam"="C:\Program Files\Steam\Steam.exe" [2007-10-17 14:43 1271032]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools\daemon.exe" [2008-01-03 06:54 486856]
"SearchAndDestroyMFC"="C:\Program Files\Search And Destroy\Search And Destroy.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 16:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2006-07-29 04:07 188416]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-24 03:24 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-25 14:54 229952]
"bncsaui.exe"="C:\Program Files\Bradford Networks\Client Security Agent\bncsaui.exe" [2007-08-23 16:32 1916296]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 10:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 10:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 10:22 86016]
"a-squared"="C:\Program Files\a-squared Anti-Malware\a2guard.exe" [2008-01-07 17:56 1816208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Spyware Doctor"="C:\Program Files\Spyware Doctor\swdoctor.exe" [2006-06-13 10:34 2078944]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Wireless-B PCI Adapter Utility.lnk - C:\Program Files\Linksys\WMP11 Config Utility\WMP11Cfg.exe [2005-01-15 17:56:14 4638720]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\PandaFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\AIM\\aim.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Valve\\hl.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\iPod\\iPod Updater 2005-09-06\\iPod Updater 2005-09-06.exe"=
"C:\\Program Files\\3DO\\Heroes 3 Complete\\ONLINE\\AUTORUN.EXE"=
"C:\\Program Files\\FirstClass\\fcc32.exe"=
"C:\\Program Files\\Guild Wars\\Gw.exe"=
"C:\\Program Files\\K-Lite Codec Pack\\filters\\3ivxConfig.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Warlords\\Civ4Warlords_PitBoss.exe"=
"C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe"= C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"19433:TCP"= 19433:TCP:BitComet 19433 TCP
"19433:UDP"= 19433:UDP:BitComet 19433 UDP
"80:TCP"= 80:TCP:BitComet 80 TCP
"80:UDP"= 80:UDP:BitComet 80 UDP
"23071:TCP"= 23071:TCP:BitComet 23071 TCP
"23071:UDP"= 23071:UDP:BitComet 23071 UDP
"16189:TCP"= 16189:TCP:BitComet 16189 TCP
"16189:UDP"= 16189:UDP:BitComet 16189 UDP
"20831:TCP"= 20831:TCP:BitComet 20831 TCP
"20831:UDP"= 20831:UDP:BitComet 20831 UDP

R0 netflt;Panda Preventium Driver.;C:\WINDOWS\system32\Drivers\netflt.sys [2005-10-21 12:06]
R1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\drivers\ShldDrv.sys [2007-02-23 09:42]
R2 BNPagent;Client Security Agent Service;"C:\Program Files\Bradford Networks\Client Security Agent\bndaemon.exe" [2007-08-23 16:32]
R2 cpoint;Panda CPoint Driver;C:\WINDOWS\system32\Drivers\cpoint.sys [2005-04-05 17:33]
R2 PAVFIRES;Panda Firewall Service;"C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Firewall\PavFires.exe" [2005-03-29 12:59]
R2 Pavkre;Panda Pavkre;"C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\Pavkre.exe" [2005-08-30 15:51]
R2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [2007-02-23 09:42]
R2 PavProt;Panda PavProt;"C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavProt.exe" [2005-08-30 15:51]
R2 PREVSRV;Panda Preventium+ Service;"C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\prevsrv.exe" [2004-10-30 17:43]
R3 AvFlt;Antivirus Filter Driver;C:\WINDOWS\system32\drivers\av5flt.sys []
R3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2002-04-15 18:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\Install.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9537cf67-56d0-11da-8427-00e0186b809d}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure31.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ac4efe76-6b7a-11dc-871e-00e0186b809d}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d022ee61-4928-11db-85af-00e0186b809d}]
\Shell\AutoRun\command - G:\Autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-01 23:21:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-27 19:50:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
.
Completion time: 2008-03-27 19:51:50
ComboFix-quarantined-files.txt 2008-03-28 02:51:32
ComboFix2.txt 2008-03-26 18:05:23
ComboFix3.txt 2008-03-26 15:02:01
ComboFix4.txt 2008-03-26 05:25:34
.
2007-10-18 07:00:47 --- E O F ---

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:21 PM

Posted 29 March 2008 - 06:55 AM

Your logs look pretty good to me. How are things working on your end?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 theblacksun

theblacksun
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:21 PM

Posted 29 March 2008 - 10:32 AM

i think you cured me, there are no more pop-ups or little boxes telling me to buy stuff
thank you so much

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:21 PM

Posted 29 March 2008 - 03:37 PM

Glad I could help! :thumbsup:

Just a few last things and you should be good to go! :blink:


First, your log shows that you don't have the recovery console installed.
Check this link for more info on the recovery console and how to get it installed.
http://www.bleepingcomputer.com/tutorials/how-to-install-the-windows-xp-recovery-console/


===================



Next, let's remove Combofix now that we're done with it and clean up a few other things.
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK

    • Posted Image
  • When shown the disclaimer, Select "2"
The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.


==================



Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and reenable system restore to make sure there are no infected files found in a restore point left over from what we have just cleaned.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Renable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

:wacko: :)
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:05:21 PM

Posted 21 April 2008 - 07:15 AM

Now that your problem appears to be resolved, this thread will be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users